YOUR LAST LINE OF DEFENSE - IBM · YOUR LAST LINE OF DEFENSE Anthony Lim MBA CISSP FCITIL ... We...
Transcript of YOUR LAST LINE OF DEFENSE - IBM · YOUR LAST LINE OF DEFENSE Anthony Lim MBA CISSP FCITIL ... We...
®
IBM Software Group
© IBM Corporation
WEB APPLICATION SECURITYYOUR LAST LINE OF DEFENSE
Anthony LimMBA CISSP FCITIL
Director, Asia PacificSecurity
Rational Software
Hong Kong, 03-12-08
IBM Software Group
IBM Internal Use Only
The Security Journey Continues
• New and More …• Applications• Services• Systems-> Vulnerabilities-> Hacking methods-> Viruses, Worms, RATS, Bots …
(Remote Access TROJANS = Spyware)
-> GOVERNANCE & COMPLIANCE!
NEW AREAS
OF IT SECURITY
WEAKNESS
ARISE ALL THE TIME
IBM Software Group
IBM Internal Use Only
Regulation & Compliance SARBANES-OXLEY, HIPAA, BASEL II …
� It is part of doing business
� Business Continuity
� An environment of TRUST� For doing business
� Ensure Orderliness in Internet world
� Promote Economic growth
� More than justConfidentiality, Integrityand Availability
� Privacy
3rd Party Customer Data
People never learn –there will be another Edison Chen case – that’s why I still have a job today
IBM Software Group
IBM Internal Use Only
Sheer Volume of Applications Keeps You From Getting Ahead of the Problems
Difficulty Managing 3rd Party VendorsDifficulty Managing 3rd Party Vendors555
Not Monitoring Deployed ApplicationsNot Monitoring Deployed Applications444
Catching Problems Late in the CycleCatching Problems Late in the Cycle333
Lack of Control and VisibilityLack of Control and Visibility222
Security Team Has Become a BottleneckSecurity Team Has Become a Bottleneck111
Have to do more with less, still; Risk is high, accountability
is prevalent
IBM Software Group
IBM Internal Use Only
It Gets Worse• WAP, GPRS, EDGE, 3G• 802.1x• Broadband
A hacker no longer needs a big machine
IBM Software Group
IBM Internal Use Only
Software Application Development Pressures
4 most common laments of the development executive
I’m being asked to:
• Deliver product faster (a lot faster!)
• Increase product innovation
• Improve quality
• Reduce cost
IBM Software Group
IBM Internal Use Only
WE ARE HIGHLY DEPENDENT ON WEB SERVICES TODAY
� COMMUNICATIONS� E-Mail, Instant Messaging, Information Transfer
� TRANSACTIONS / ONLINE SERVICES� Internet Banking, e-shopping, Stock trading, B2B, C2C, E-Bay, E*Trade, Amazon, Travel booking, etc
� WORK / BUSINESS� Internet, Intranet, Extranet� ERP, SCM, CRM, SAP, B2BM, B2C, Company international information services
� PLAY / SOCIAL NETWORKING / RECREATION� YouTube, Facebook, Second Life, Friendster, ITunes, MySpace, BLOGS! …� Organization Membership Portal
� EDUCATION / RESEARCH
� ONLINE STORAGE SERVICES� …..
IBM Software Group
IBM Internal Use Only
We Use Network Vulnerability Scanners
Neglect the security of the software on the network/web
server
We Use Network Vulnerability Scanners
Neglect the security of the software on the network/web
server
The Myth: “Our Site Is Safe”
We Have Firewalls and IPS in Place
Port 80 & 443 are open for the right reasons
We Have Firewalls and IPS in Place
Port 80 & 443 are open for the right reasons
We Audit It Once a Quarter with Pen Testers
Applications are constantly changing
We Audit It Once a Quarter with Pen Testers
Applications are constantly changing
We Use SSL Encryption
Only protects data between site and user not the web
application itself
We Use SSL Encryption
Only protects data between site and user not the web
application itself
IBM Software Group
IBM Internal Use Only
LexisNexis
Data Breach
-Washington Post
Feb 17, 2008
IndiaTimes.comMalware
—InformationWeek
Feb 17,2008
Hacker breaks into
Ecuador’s presidential
website
— Thaindian, Feb 11, 2008
Hacking Stage 6— Wikipedia, Feb 9 2007
Hacker steals Davidson
Cos client data
- Falls Tribune, Feb 4 2008
RIAA wiped off the Net— TheRegister, Jan 20 2008
Chinese hacker
steals 18M identities
- HackBase.com, Feb 10,2008
Mac blogs defaced by
XSS
• The Register, Feb 17, 2008
U.S. Embassy Web Site In Manila, Defaced- AllHeadlineNews, Mar 27, 2008
Greek Ministry websites attacked— eKathimerini, Jan 31,2008Drive-by Pharming in
the Wild
— Symantec, Jan 21 2008Italian Bank hit by
XSS fraudsters— Netcraft, Jan 8 2008
The Alarming Reality
Two Indonesian
government web sites
defaced
— CNET Asia, Mar 29, 2008
IBM Software Group
IBM Internal Use Only
Real Example: Online Travel Reservation Portal
Change the reserID to 2001200
IBM Software Group
IBM Internal Use Only
Real Example : Parameter TamperingReading another user’s transaction – insufficient authorization
Another customer’s transaction slip is revealed, including the email address
IBM Software Group
IBM Internal Use Only
Parameter Tampering Reading another user’s invo ice
The same customer invoice that reveals the address and contact number
IBM Software Group
IBM Internal Use Only
Web Application Hacks are a Business Issue
Misdirect customers to bogus site
Read/write access to customer databasesUnauthorized Site/Data AccessForceful Browsing/SQL Injection
Alter distributions and transfer accountsFraud, Data TheftParameter Tampering
Access to non-public personal information, fraud, etc.
Access O/S and ApplicationStealth Commanding
Larceny, theft, customer mistrustIdentity TheftCross Site scripting
Unauthorized access, privacy liability, site compromised
Admin AccessDebug options
Illegal transactionsSite AlterationHidden fields
Larceny, theftSession HijackingCookie poisoning
Site Unavailable; Customers GoneDenial of Service (DoS)Buffer overflow
Potential Business ImpactNegative ImpactApplication Threat
IBM Software Group
IBM Internal Use Only
The Fact: Attacks targetted at a new area
Sources: Gartner, IDC, Watchfire
Network Server
WebApplications
% of Attacks % of Dollars
75%
10%
25%
90%
Security Spending
& infrastructure
& services
In an organization, IT Security people and developers are poles apart
IBM Software Group
IBM Internal Use Only
Existing Solutions Don’t Address App Security
• IT Security Solutions are usually for network and i nfrastructure• Firewalls and IPS’s don’t block application attacks• Port 80, 8080 and 443 are open• Network scanners won’t find application vulnerabilities.
• Nessus, ISS, Qualys, Nmap, etc.
• IT Security professionals are typically from the ne twork /infrastructure area, and usually have little experience in softwar e application development
• Developers are usually not trained in or mandated to security• 64% of developers are not confident in their abilit y to write secure applications – Microsoft Developer Research
• Developers do not care about security, they think i ts someone else’s job• (even though they are the root cause) (often developers also don’t have security experience)
• Security teams are focused on other issues (network , desktops, etc) and overwhelmed
• They don’t want to have to deal with another new issue that they don’t understand
• No defined policy, accountability or process to dea l with the issue• not many people understand application attacks today
IBM Software Group
IBM Internal Use Only
Rational Software Quality Management Solutions
Developer Test Functional Test
Automated Manual
Rational RequisitePro Rational ClearQuest Rational ClearQuest
Defects
Project Dashboards Detailed Test Results Quality Reports
Performance Test
SOFTWARE QUALITY SOLUTIONS
Test and Change Management
Test Automation
Quality Metrics
DE
VE
LOP
ME
NT
OP
ER
AT
OIN
S
BUSINESS
Rational ClearQuest
Requirements Test Change
Rational PurifyPlus
Rational Test RealTime
Rational Functional Tester Plus
Rational Functional Tester
Rational Robot
Rational Manual Tester
Rational Performance Tester
Security and Compliance Test
AppScan
WebXM
IBM Software Group
IBM Internal Use Only
Trusted by >2000 Companies Worldwide, x00’s in Asia
TopTop
TechnologyTechnology
VendorsVendors
TopTop
Pharma / ClinicalPharma / Clinical
CompaniesCompanies
Multiple LargeMultiple Large
GovernmentGovernment
AgenciesAgencies
Top Largest U.S. Top Largest U.S.
Retail BanksRetail Banks
Veteran’s Affairs
NavyArmy
Air Force Marines
Large, Complex Web Sites Extensive Customer Data
Highly Regulated High User Volume
IBM Software Group
IBM Internal Use Only
Used by Leading Security Industry Developers and Consultants
Consultants and ResearchersConsultants and ResearchersTechnology CompaniesTechnology Companies
More …
EDS
IBM Software Group
IBM Internal Use Only
Building security & compliance into the SDLC
Build
Developers
SDLCSDLC
Developers
Developers
Coding QA Security Production
Enable Security to effectively drive remediation into development
Provides Developers and Testers with expertise on detection and
remediation ability
Ensure vulnerabilities are addressed before applications are put into production
IBM Software Group
IBM Internal Use Only
Conclusion: Application QA for Security
� The Application Must Defend Itself�You cannot depend on firewall or infrastructure security to do so
� Bridging the GAP between Software development and Information Security
� QA Testing for Security must now be integrated and strat egic
� We need to move security QA testing back to earlier in the SDLC�at production or pre-production stage is late and expensive to fix
�Developers need to learn to write code defensively and securely